Verify Required Ports Are Open Before Installing YugabyteDB or YBA

🚀 Intro

You’ve got your shiny new cluster nodes provisioned and ready for YugabyteDB or YugabyteDB Anywhere (YBA)… but before you install anything, there’s one easy-to-miss step that can save hours of debugging later: verifying that all required ports are open 🔓

This YugabyteDB Tip showed how to check ports using ss or netstat … which works great after YB processes are running.

But what if you want to confirm network connectivity before installation … to catch firewall, security group, or NACL issues early?

That’s what this tip is all about 🕵️‍♂️

Let’s check those ports before YB or YBA are even installed.

⚙️ Why This Tip?

💡 Because YugabyteDB is a distributed system and distributed systems love open lines of communication!

Each YB component (master, tserver, YSQL, YCQL, YEDIS, YBA, etc.) listens on specific ports.

If even one of those is blocked between nodes or regions, you’ll run into weird errors like:

🟥 “Connection refused” on replication links
🟧 YBA unable to connect to the database or node agent
🟨 yb-ctl or yba-ctl hangs mid-deploy

The following scripts help you verify connectivity between nodes and confirm all necessary ports are open before deployment begins.

🧱 Prerequisites

These scripts rely on one of the following common network tools being available:

🧩 Telnet: Old-school but widely supported
⚡ Netcat (nc): Faster, cleaner, and usually preinstalled

If you don’t have them, here’s how to install:

🖥️ Amazon Linux / RHEL / CentOS

				
					sudo yum install -y telnet
sudo yum install -y nmap-ncat

💻 Ubuntu / Debian

				
					sudo apt-get update
sudo apt-get install -y telnet netcat

You can confirm they’re installed with:

				
					which telnet
which nc

If either command prints a valid path (like /usr/bin/telnet), you’re good to go ✅

🧩 Option 1: Using Telnet (Old-School, but Effective)

Telnet is often available by default, perfect for simple reachability checks.

Save this as yb_check_ports_telnet.sh:

				
					#!/usr/bin/env bash
# yb_check_ports_telnet.sh (strict parsing)

HOST=${1:-127.0.0.1}
declare -A PORT_DESC=( [22]="SSH / Node Agent" [54422]="Custom SSH port for universe nodes" [80]="HTTP for YBA" [8080]="Alternate HTTP for YBA" [443]="HTTPS for YBA / backups" [8800]="Replicated / YBA Web UI" [9090]="Prometheus" [9300]="Alert Manager" [13000]="YBA Node Agent RPC" [5433]="YSQL API" [6433]="Connection Pooling (optional)" [6379]="YEDIS API" [7000]="YB-Master Web UI" [7100]="YB-TServer Web UI" [9000]="YSQL Connection Manager" [9042]="YCQL API" [9100]="YB-TServer Internode RPC" [11000]="YB-Master RPC" [12000]="YB-TServer RPC" [18018]="YB Controller Web UI" [15433]="Yugabyted Standalone Web UI (optional)" )

have_cmd(){ command -v "$1" >/dev/null 2>&1; }
check_with_telnet(){
  local host="$1" port="$2" out
  if have_cmd timeout; then
    out="$( (echo -e '\n' | timeout 4 telnet "$host" "$port") 2>&1 )"
  else
    out="$( (echo -e '\n' | telnet "$host" "$port") 2>&1 )"
  fi
  grep -qiE '(^|[^[:alnum:]_])Connected to[[:space:]]+' <<<"$out"
}
check_with_bash_tcp(){ ( exec 3<>"/dev/tcp/${1}/${2}" ) >/dev/null 2>&1; }

echo "🔍 Checking connectivity to $HOST using Telnet..."
echo "---------------------------------------------------"
open_count=0
closed_count=0
declare -a closed_ports=()

for PORT in $(printf "%s\n" "${!PORT_DESC[@]}" | sort -n); do
  DESC=${PORT_DESC[$PORT]}
  if have_cmd telnet && check_with_telnet "$HOST" "$PORT"; then
    printf "✅ %-6s (%-45s) is OPEN on %s\n" "$PORT" "$DESC" "$HOST"
    ((open_count++))
  elif check_with_bash_tcp "$HOST" "$PORT"; then
    printf "✅ %-6s (%-45s) is OPEN on %s\n" "$PORT" "$DESC" "$HOST"
    ((open_count++))
  else
    printf "❌ %-6s (%-45s) is CLOSED or FILTERED on %s\n" "$PORT" "$DESC" "$HOST"
    ((closed_count++))
    closed_ports+=("$PORT")
  fi
done

echo "---------------------------------------------------"
echo "📊 Summary for $HOST:"
printf "  ✅ %2d ports OPEN / reachable\n" "$open_count"
printf "  ❌ %2d ports CLOSED or FILTERED\n" "$closed_count"
if ((closed_count > 0)); then
  echo "  🔒 Closed/Filtered ports: ${closed_ports[*]}"
fi
echo "---------------------------------------------------"
echo "✅ Completed check for host: $HOST"

Example:

				
					[ec2-user@ip-10-9-3-89 jimk]$ ./yb_check_ports_telnet.sh 172.152.18.7
🔍 Checking connectivity to 172.152.18.7 using Telnet...
---------------------------------------------------
❌ 22     (SSH / Node Agent                             ) is CLOSED or FILTERED on 172.152.18.7
❌ 80     (HTTP for YBA                                 ) is CLOSED or FILTERED on 172.152.18.7
✅ 443    (HTTPS for YBA / backups                      ) is OPEN on 172.152.18.7
✅ 5433   (YSQL API                                     ) is OPEN on 172.152.18.7
❌ 6379   (YEDIS API                                    ) is CLOSED or FILTERED on 172.152.18.7
❌ 6433   (Connection Pooling (optional)                ) is CLOSED or FILTERED on 172.152.18.7
✅ 7000   (YB-Master Web UI                             ) is OPEN on 172.152.18.7
✅ 7100   (YB-TServer Web UI                            ) is OPEN on 172.152.18.7
❌ 8080   (Alternate HTTP for YBA                       ) is CLOSED or FILTERED on 172.152.18.7
❌ 8800   (Replicated / YBA Web UI                      ) is CLOSED or FILTERED on 172.152.18.7
✅ 9000   (YSQL Connection Manager                      ) is OPEN on 172.152.18.7
✅ 9042   (YCQL API                                     ) is OPEN on 172.152.18.7
✅ 9090   (Prometheus                                   ) is OPEN on 172.152.18.7
✅ 9100   (YB-TServer Internode RPC                     ) is OPEN on 172.152.18.7
✅ 9300   (Alert Manager                                ) is OPEN on 172.152.18.7
❌ 11000  (YB-Master RPC                                ) is CLOSED or FILTERED on 172.152.18.7
✅ 12000  (YB-TServer RPC                               ) is OPEN on 172.152.18.7
✅ 13000  (YBA Node Agent RPC                           ) is OPEN on 172.152.18.7
❌ 15433  (Yugabyted Standalone Web UI (optional)       ) is CLOSED or FILTERED on 172.152.18.7
✅ 18018  (YB Controller Web UI                         ) is OPEN on 172.152.18.7
✅ 54422  (Custom SSH port for universe nodes           ) is OPEN on 172.152.18.7
---------------------------------------------------
📊 Summary for 172.152.18.7:
  ✅ 13 ports OPEN / reachable
  ❌  8 ports CLOSED or FILTERED
  🔒 Closed/Filtered ports: 22 80 6379 6433 8080 8800 11000 15433
---------------------------------------------------
✅ Completed check for host: 172.152.18.7

🧩 Option 2: Using Netcat (Preferred Modern Method)

Save this as yb_check_ports_nc.sh:

				
					#!/usr/bin/env bash
# Verify required YugabyteDB / YBA ports using netcat, with summary.
# Hardened: no 'set -e', works across nmap-ncat/GNU/BSD variants.

HOST=${1:-127.0.0.1}

# --- Port map (port -> description) ---
declare -A PORT_DESC=(
  # OS / Base
  [22]="SSH / Node Agent"
  [54422]="Custom SSH port for universe nodes"
  # YBA
  [80]="HTTP for YugabyteDB Anywhere"
  [8080]="Alternate HTTP for YugabyteDB Anywhere"
  [443]="HTTPS for YBA / backups"
  [8800]="Replicated / YBA Web UI"
  [9090]="Prometheus (metrics)"
  [9300]="Alert Manager"
  [13000]="YBA Node Agent RPC"
  # YugabyteDB Core
  [5433]="YSQL API"
  [6433]="Connection Pooling (optional)"
  [6379]="YEDIS API"
  [7000]="YB-Master Web UI"
  [7100]="YB-TServer Web UI"
  [9000]="YSQL Connection Manager"
  [9042]="YCQL API"
  [9100]="YB-TServer Internode RPC"
  [11000]="YB-Master RPC"
  [12000]="YB-TServer RPC"
  [18018]="YB Controller Web UI"
  [15433]="Yugabyted Standalone Web UI (optional)"
)

have_cmd(){ command -v "$1" >/dev/null 2>&1; }

# Try a few nc dialects; return 0 if port is open, 1 otherwise.
check_with_nc() {
  local host="$1" port="$2"
  # nmap-ncat / GNU netcat: supports -z (scan) and -w (timeout seconds)
  if nc -h 2>&1 | grep -q -- '-z'; then
    nc -z -w2 "$host" "$port" >/dev/null 2>&1
    return $?
  fi
  # BSD netcat: often uses -G for timeout, -z may still exist
  if nc -h 2>&1 | grep -q -- '-G'; then
    # -z may or may not exist; try a verbose connect and parse
    local out
    out="$( (echo | nc -v -G 2 "$host" "$port") 2>&1 )"
    grep -qiE 'open|succeed|Connected to' <<<"$out"
    return $?
  fi
  # Fallback: best-effort plain connect with a short timeout via timeout(1)
  if have_cmd timeout; then
    timeout 3 nc "$host" "$port" </dev/null >/dev/null 2>&1
  else
    nc "$host" "$port" </dev/null >/dev/null 2>&1
  fi
  return $?
}

if ! have_cmd nc; then
  echo "⚠️  netcat (nc) not found. Install with: sudo yum install -y nmap-ncat  # or: sudo apt-get install -y netcat"
  exit 1
fi

echo "🔍 Checking ports on $HOST using netcat..."
echo "---------------------------------------------------"

open_count=0
closed_count=0
declare -a closed_ports=()

# Sort ports numerically for stable output
for PORT in $(printf "%s\n" "${!PORT_DESC[@]}" | sort -n); do
  DESC=${PORT_DESC[$PORT]}
  if check_with_nc "$HOST" "$PORT"; then
    printf "✅ %-6s (%-45s) reachable on %s\n" "$PORT" "$DESC" "$HOST"
    open_count=$((open_count+1))
  else
    printf "❌ %-6s (%-45s) not reachable on %s\n" "$PORT" "$DESC" "$HOST"
    closed_count=$((closed_count+1))
    closed_ports+=("$PORT")
  fi
done

echo "---------------------------------------------------"
echo "📊 Summary for $HOST:"
printf "  ✅ %2d ports OPEN / reachable\n" "$open_count"
printf "  ❌ %2d ports CLOSED or FILTERED\n" "$closed_count"
if [ "$closed_count" -gt 0 ]; then
  echo "  🔒 Closed/Filtered ports: ${closed_ports[*]}"
fi
echo "---------------------------------------------------"
echo "✅ Completed check for host: $HOST"

Example:

				
					[ec2-user@ip-10-9-3-89 jimk]$ ./yb_check_ports_nc.sh 172.152.18.7
🔍 Checking ports on 172.152.18.7 using netcat...
---------------------------------------------------
❌ 22     (SSH / Node Agent                             ) not reachable on 172.152.18.7
❌ 80     (HTTP for YugabyteDB Anywhere                 ) not reachable on 172.152.18.7
✅ 443    (HTTPS for YBA / backups                      ) reachable on 172.152.18.7
✅ 5433   (YSQL API                                     ) reachable on 172.152.18.7
❌ 6379   (YEDIS API                                    ) not reachable on 172.152.18.7
❌ 6433   (Connection Pooling (optional)                ) not reachable on 172.152.18.7
✅ 7000   (YB-Master Web UI                             ) reachable on 172.152.18.7
✅ 7100   (YB-TServer Web UI                            ) reachable on 172.152.18.7
❌ 8080   (Alternate HTTP for YugabyteDB Anywhere       ) not reachable on 172.152.18.7
❌ 8800   (Replicated / YBA Web UI                      ) not reachable on 172.152.18.7
✅ 9000   (YSQL Connection Manager                      ) reachable on 172.152.18.7
✅ 9042   (YCQL API                                     ) reachable on 172.152.18.7
✅ 9090   (Prometheus (metrics)                         ) reachable on 172.152.18.7
✅ 9100   (YB-TServer Internode RPC                     ) reachable on 172.152.18.7
✅ 9300   (Alert Manager                                ) reachable on 172.152.18.7
❌ 11000  (YB-Master RPC                                ) not reachable on 172.152.18.7
✅ 12000  (YB-TServer RPC                               ) reachable on 172.152.18.7
✅ 13000  (YBA Node Agent RPC                           ) reachable on 172.152.18.7
❌ 15433  (Yugabyted Standalone Web UI (optional)       ) not reachable on 172.152.18.7
✅ 18018  (YB Controller Web UI                         ) reachable on 172.152.18.7
✅ 54422  (Custom SSH port for universe nodes           ) reachable on 172.152.18.7
---------------------------------------------------
📊 Summary for 172.152.18.7:
  ✅ 13 ports OPEN / reachable
  ❌  8 ports CLOSED or FILTERED
  🔒 Closed/Filtered ports: 22 80 6379 6433 8080 8800 11000 15433
---------------------------------------------------
✅ Completed check for host: 172.152.18.7

🌍 Pro Tip

Run these scripts from your bastion host or a peer node … that’s how to truly validate cross-node reachability.

If everything shows ✅, your environment’s ready to fly 🚀

🧠 Summary

✅ Works before YBA/YB are installed
✅ Displays each port with its purpose
✅ Detects blocked ports early
✅ Includes clean open/closed summary
✅ Great for multi-region pre-flight validation

Have Fun!